800-53|AC-2

Title

ACCOUNT MANAGEMENT

Description

The organization:

Supplemental

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

Reference Item Details

Related: AC-10,AC-17,AC-19,AC-20,AC-3,AC-4,AC-5,AC-6,AU-9,CM-11,CM-5,CM-6,IA-2,IA-4,IA-5,IA-8,MA-3,MA-4,MA-5,PL-4,SC-13

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 R2 MS L1 v2.5.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
1.1.1.1 Ensure mounting of udf filesystems is disabled - lsmodUnixCIS Google Container-Optimized OS L2 Server v1.0.0
1.1.1.1 Ensure mounting of udf filesystems is disabled - modprobeUnixCIS Google Container-Optimized OS L2 Server v1.0.0
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows Server 2012 DC L1 v2.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows Server 2012 MS L1 v2.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Windows Server 2012 R2 MS L1 v2.5.0